1. The Field of the Invention
The present invention relates to controlling access to computer resources. More specifically, the present invention relates to integrating the access control of computer resources to namespaces beyond the namespaces of a file system.
2. Background and Relevant Art
An issue of substantial concern in computer networks is maintaining the integrity of its resources by preventing unauthorized access to those resources. A primary method of preventing unauthorized access to a resource or a computer network is to authenticate the identity of the potential user. Authentication is the process of ensuring that logins and messages from a user originate from an authorized source. More simply, authentication is the process of discovering the identity of the user. Frequently, this requires a potential user to supply the network or computer system with a user name and a user password. The user name and the user password are verified by the system, which may include comparing them with a security database containing authorized user names and corresponding passwords. If a user is authenticated, access to the system and its resources is granted.
Resources are still protected, however, even after a user has successfully logged on to the computer system. In many systems, all resources are assigned or associated with a security descriptor or are protected in some other manner. This applies not only to resources such as files, folders and directories, but also to threads, processes, events, and access tokens. The main feature of the security descriptor is to detail the security of the resource. This can be done by identifying which users have access to an object or resource and what those users can do with that resource. Read access and write access are two rights that are frequently listed in the security descriptor.
In some systems, the security descriptor is referred to as an access control list (ACL), which can be described as a small database. The access control list contains a plurality of access control entries (ACE) and each access control entry defines a particular right or group of rights. For instance, the first ACE associated to an object or resource may indicate that a particular user has read rights. The next ACE may detail the rights of a group of users to the resource associated with the ACL. When a user attempts to access a resource, the security system proceeds through the ACL to determine the access rights of the user. If the user is granted access to the object or resource, a handle is given to the process seeking access.
In a computer network, the security system is able to enforce the access controls or security descriptors related to access requests that specify a physical address of a resource. For example, when a user seeks access to “G:\web\” the security system can enforce the access control for at least two reasons. First, the user seeking access has been identified and authenticated when the user logged on to the computer network. Second, the user is seeking access to a known resource or object. The security system can analyze the access control to determine the rights of the user as to that resource.
The problem becomes more difficult when a remote user has logged on or accessed the system. The identity of the user is still authenticated, but the user does not reference the resource to be accessed using the notation of “drive:\folder\resource.” Rather, the remote user employs a Uniform Resource Locator (URL) to access a particular resource. A URL represents a namespace or a domain, but must first be translated to the physical address of the resource. The translation is typically performed by a server which functions as an interface between the computer system, the resources of the computer system and the remote user.
Because the URL provided by the remote user is translated, the access control associated with the resource cannot be directly enforced by the computer system against the remote user. Instead, the server, which typically has rights and privileges to the system which are much greater than the typical remote user, accesses the resource and also enforces the access control by determining the rights of the remote user.
It would be an improvement in the art to apply access controls directly against remote users. In other words, there is a need to integrate access control into a URL namespace.